On Fully Homomorphic Encryption

Täielikult homomorfne krüpteerimine on krüptosüsteem, mille puhul üks osapool saab enda valdusesse krüpteeritud andmed ning saab nende andmetega tõhusalt sooritada erinevaid operatsioone. Operatsioone saab teha hoolimata sellest, et andmed jäävad krüpteerituks ning seega ei ole ka vajalik teada dekrüpteerimisvõtit. Selline süsteem oleks äärmiselt kasulik, näiteks tagades andmete privaatsuse, mis on saadetud kolmanda osapoole teenusele. Täielikult homomorfne krüpteerimine on vastandiks krüptosüsteemidele nagu Paillier, kus ei ole võimalik teostada krüpteeritud andmete peal korrutamist ilma neid enne dekrüpteerimata, või ElGamal, kus ei saa sooritada krüpteeritud andmete liitmist enne andmete dekrüpteerimist. Täielikult homomorfne krüpteerimine on väga uus uurimisala: esimese taolise süsteemi lõi Gentry aastal 2009. Gentry läbimurdest alates on olnud palju tema tööst inspireeritud edasiminekuid. Kõik viimased täielikult homomorfsed krüptosüsteemid kasutavad avaliku võtmega krüptograafiat ja põhinevad võredel. Võre-põhine krüptograafia äratab üha enam huvi oma turvalisuse püsimisega kvantarvutites ning oma halvima juhu turvagarantiidega. Siiski jääb püsima peamine probleem: süsteemidel ei ole veel tõhusat teostust, mis säilitaks adekvaatsed turvalisuse nõuded. Selles valguses vaadatuna, viimased edasiminekud täielikult homomorfses krüpteerimises kas täiendavad eelnevate süsteemide tõhusust või pakuvad välja uue parema efektiivsusega skeemi. Antud uurimus on ülevaade hiljutistest täielikult homomorfsetest krüptosüsteemidest. Õpime tundma mõningaid viimaseid täielikult homomorfseid krüptosüsteeme, analüüsime ning võrdleme neid. Neil süsteemidel on teatud ühised elemendid: 1. Tõhus võre-põhine krüptosüsteem turvalisusega, mis põhineb üldteada võreprobleemide keerulisusel. 2. Arvutusfunktsioon definitsioonidega homomorfsele liitmisele ja korrutamisele müra kasvu piiramiseks. 3. Meetodid, et muuta süsteem täielikult homomorfseks selle arvutusfunktsiooniga. Niipea kui võimalik, kirjutame nende süsteemide peamised tulemused ümber detailsemas ja loetavamas vormis. Kõik skeemid, mida me arutame, välja arvatud Gentry, on väga uued. Kõige varasem arutletav töö avaldati oktoobris aastal 2011 ning mõningad tööd on veel kättesaadavad ainult elektroonilisel kujul. Loodame, et käesolev töö aitab lugejail olla kursis täielikult homomorfse krüpteerimisega, rajades teed edasistele arengutele selles vallas

Efektiivsed mitteinteraktiivsed nullteadmusprotokollid referentssõne mudelis

Väitekirja elektrooniline versioon ei sisalda publikatsioone.Koos digitaalse ajastu võidukäiguga on interneti vahendusel võimalik sooritada üha ulmelisemana näivaid tegevusi. Täielikule krüpteeringule ehitatud mobiilsed rakendused, nagu näiteks WhatsApp, suudavad tagada, et kõne või sõnum jõuaksid üksnes õige adressaadini. Enamik pangasüsteeme garanteerivad TLS protokolli kasutades, et arvete maksmisel ja ülekannete tegemisel poleks nende andmeid kellelgi võimalik lugeda ega muuta. Mõned riigid pakuvad võimalust elektroonilisel teel hääletada (näiteks Eesti) või referendumeid läbi viia (näiteks Šveits), tagades sealjuures traditsioonilise paberhääletuse tasemel turvalisuse kriteeriumid. Kõik eelnevalt kirjeldatud tegevused vajavad kasutajate turvalisuse tagamiseks krüptograafilist protokolli. Tegelikkuses ei saa me kunagi eeldada, et kõik protokolli osapooled järgivad protokolli spetsifikatsiooni. Reaalses elus peab protokolli turvalisuseks iga osapool tõestama, et ta seda järgis ilma privaatsuse ohverdamiseta. Üks viis seda teha on nullteadmusprotokolli abil. Nullteadmusprotokoll on tõestus, mis ei lekita mingit informatsiooni peale selle, et väide on tõene. Tihti tahame, et nullteadmusprotokoll oleks mitteinteraktiivne. Sellisel juhul piisab, kui tõestus on arvutatud ainult ühe korra ning verifitseerijatel on igal ajal võimalik seda kontrollida. On kaks peamist mudelit, mis võimaldavad mitteinteraktiivsete nullteadmusprotokollide loomist: juhusliku oraakli (JO) mudel ja referentssõne mudel. JO mudeli protokollid on väga efektiivsed, kuid mõningate piirangute tõttu eelistame referentssõne mudelit. Selles töös esitleme kolme stsenaariumit, milles mitteinteraktiivne nullteadmus on asjakohane: verifitseeritav arvutamine, autoriseerimine ja elektrooniline hääletamine. Igas stsenaariumis pakume välja nullteadmusprotokolli referentssõne mudelis, mis on seni efektiivseim ning võrreldava efektiivsusega protokollidega JO mudelis.In the current digital era, we can do increasingly astonishing activities remotely using only our electronic devices. Using mobile applications such as WhatsApp, we can contact someone with the guarantee, using an end-to-end encryption protocol, that only the recipient can know the conversation's contents. Most banking systems enable us to pay our bills and perform other financial transactions, and use the TLS protocol to guarantee that no one can read or modify the transaction data. Some countries provide an option to vote electronically in an election (e.g. Estonia) or referendum (e.g. Switzerland) with similar privacy guarantees to traditional paper voting. In all these activities, a cryptographic protocol is required to ensure users' privacy. In reality, some parties participating in a protocol might not act according to what was agreed in the protocol specification. Hence, for a real world protocol to be secure, we also need each party to prove that it behaves honestly, but without sacrificing privacy of its inputs. This can be done using a zero-knowledge argument: a proof by a polynomial-time prover that gives nothing else away besides its correctness. In many cases, we want a zero-knowledge argument to be non-interactive and transferable, so that it is computed only once, but can be verified by many verifiers at any future time. There are two main models that enable transferable non-interactive zero-knowledge (NIZK) arguments: the random oracle (RO) model and the common reference string (CRS) model. Protocols in the RO model are very efficient, but due to some of its limitations, we prefer working in the CRS model. In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting. In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model

A Practical Adaptive Key Recovery Attack on the LGM (GSW-like) Cryptosystem

Under embargo until: 2022-07-15We present an adaptive key recovery attack on the leveled homomorphic encryption scheme suggested by Li, Galbraith and Ma (Provsec 2016), which itself is a modification of the GSW cryptosystem designed to resist key recovery attacks by using a different linear combination of secret keys for each decryption. We were able to efficiently recover the secret key for a realistic choice of parameters using a statistical attack. In particular, this means that the Li, Galbraith and Ma strategy does not prevent adaptive key recovery attacks.acceptedVersio

Efficient Culpably Sound NIZK Shuffle Argument without Random Oracles

One way to guarantee security against malicious voting servers is to use NIZK shuffle arguments. Up to now, only two NIZK shuffle arguments in the CRS model have been proposed. Both arguments are relatively inefficient compared to known random oracle based arguments. We propose a new, more efficient, shuffle argument in the CRS model. Importantly, its online prover\u27s computational complexity is dominated by only two $(n + 1)$-wide multi-exponentiations, where $n$ is the number of ciphertexts. Compared to the previously fastest argument by Lipmaa and Zhang, it satisfies a stronger notion of soundness

On the IND-CCA1 Security of FHE Schemes

Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we grouped the SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1-secure FHE and SHE schemes. We concluded that none of the proposed schemes were IND-CCA1-secure and that the known general constructions all had their shortcomings.publishedVersio

Efficient Modular NIZK Arguments from Shift and Product

We propose a non-interactive product argument, that is more efficient than the one by Groth and Lipmaa, and a novel shift argument. We then use them to design several novel non-interactive zero-knowledge (NIZK) arguments. We obtain the first range proof with constant communication and subquadratic prover\u27s computation. We construct NIZK arguments for $\mathbf{NP}$-complete languages, {\textsc{Set-Partition}}, {\textsc{Subset-Sum}} and {\textsc{Decision-Knapsack}}, with constant communication, subquadratic prover\u27s computation and linear verifier\u27s computation

An Efficient Pairing-Based Shuffle Argument

We construct the most efficient known pairing-based NIZK shuffle argument. It consists of three subarguments that were carefully chosen to obtain optimal efficiency of the shuffle argument: * A same-message argument based on the linear subspace QANIZK argument of Kiltz and Wee, * A (simplified) permutation matrix argument of Fauzi, Lipmaa, and Zając, * A (simplified) consistency argument of Groth and Lu. We prove the knowledge-soundness of the first two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shuffle argument. We also discuss our partially optimized implementation that allows one to prove a shuffle of $100\,000$ ciphertexts in less than a minute and verify it in less than $1.5$ minutes

Somewhere Statistically Binding Commitment Schemes with Applications

We define a new primitive that we call a somewhere statistically binding (SSB) commitment scheme, which is a generalization of dual-mode commitments but has similarities with SSB hash functions (Hubacek and Wichs, ITCS 2015) without local opening. In (existing) SSB hash functions, one can compute a hash of a vector v that is statistically binding in one coordinate of v. Meanwhile, in SSB commitment schemes, a commitment of a vector v is statistically binding in some coordinates of v and is statistically hiding in the other coordinates. The set of indices where binding holds is predetermined but known only to the commitment key generator. We show that the primitive can be instantiated by generalizing the succinct Extended Multi-Pedersen commitment scheme (González et al., Asiacrypt 2015). We further introduce the notion of functional SSB commitment schemes and, importantly, use it to get an efficient quasi-adaptive NIZK for arithmetic circuits and efficient oblivious database queries

Verifiably-Extractable OWFs and Their Applications to Subversion Zero-Knowledge

An extractable one-way function (EOWF), introduced by Canetti and Dakdouk (ICALP 2008) and generalized by Bitansky et al. (SIAM Journal on Computing vol. 45), is an OWF that allows for efficient extraction of a preimage for the function. We study (generalized) EOWFs that have a public image verification algorithm. We call such OWFs verifiably-extractable and show that several previously known constructions satisfy this notion. We study how such OWFs relate to subversion zero-knowledge (Sub-ZK) NIZKs by using them to generically construct a Sub-ZK NIZK from a NIZK satisfying certain additional properties, and conversely show how to obtain them from any Sub-ZK NIZK. Prior to our work, the Sub-ZK property of NIZKs was achieved using concrete knowledge assumptions

On Fully Homomorphic Encryption

Fully homomorphic encryption is an encryption scheme where a party can receive encrypted data and perform arbitrary operations on this data efficiently.The data remains encrypted throughout, but the operations can be done regardless, without having to know the decryption key.Such a scheme would be very advantageous, for example in ensuring the privacy of data that is sent to a third-party service.This is in contrast with schemes like Paillier where you can not perform a multiplication of encrypted data without decrypting the data first, or ElGamal where you can not perform an addition of encrypted data without decrypting the data first.This thesis acts as a survey of the most recent fully homomorphic encryption schemes. We study some of the latest fully homomorphic encryption schemes, make an analysis of them and make a comparison.These schemes have some elements in common:1. An efficient lattice-based cryptosystem, with security based on the hardness of well-known lattice problems. 2. An evaluation function with definitions for $c_{add}$ and $c_{mult}$, such that the noise does not rapidly increase.3. Techniques to make the scheme fully homomorphic with this evaluation function. Whenever possible, we rewrite the main results of these schemes in a more detailed and readable format.Apart from Gentry's scheme, the schemes that we choose to discuss are very new. The earliest one was published in October 2011, while some are still only available as eprints. We hope this work can help readers be up to date with the field of fully homomorphic encryption, paving way to further advances in the field